While doing security research dealing with IOT devices and home security, I decided to look into smart thermostats. While Googles Nest series of IOT devices seem to have the greatest security built into them it appears that the Google Nest Thermostat has a security vulnerability. In this day in age even the big companies like Google, Amazon, Samsung, etc.… still have vulnerabilities in their so called “Smart” devices. Even though these big companies still sometimes overlook a vulnerability in their IOT devices, purchasing a device from a big company is probably the consumers best bet in getting the best security tested device. Google is not a newcomer into the world of security, and they seem to do a very good job of releasing secure devices into the world but the war dealing with computer security is a never-ending battle and sometimes hackers even get one over on Google. I am a big fan of Google and what they do in the technological world and I have many Google devices powering my home. Fortunately, I do not have the Google Nest Thermostat and I don’t know if I will ever wind up getting a Smart thermostat anyway. In this document I will go over what the Google Nest Thermostat is, how this vulnerability can be taken advantage of, and what Google is doing, or the user can do to prevent becoming victim to this vulnerability.
The Google Nest Thermostat is a smart thermostat that is part of Googles line of IOT devices. The capabilities of this thermostat are built in WIFI, a temperature sensor, a humidity sensor, 24-bit color display, and is available in 5 different languages (Google, 2020). If you would like to buy one of these smart thermostats it will cost about $249.00. Google states on their web site that this thermostat is compatible with 95% of heating and cooling systems. This thermostats operating system is Linux based and has menus for switching from heating to cooling, access to device settings, energy history, and scheduling (Wikipedia, 2020). Since its first appearance in the market, it has been given many security updates and to get an update it requires two factor authentications. This thermostat connects to all other Nest devices through a protocol called Weave that is done over WIFI.
The vulnerability on the Google Nest thermostat is taken advantage of by connecting to it by the USB port with a flash drive and while holding the power button for 10 seconds a person can inject malicious software into the devices (Wagenseil, 2014). This malicious software can be of any type mainly botnets or spying software. Note that to achieve gaining access to this vulnerability the malicious user has to have physical access to the device. This type of hack was demonstrated by three security researchers at a Blackhat conference on August 7, 2014. The three researchers’ names were Yier Jin, Grant Hernandez, and Daniel Buentello (Wagenseil, 2014). The nest thermostat appears to have very good security when it comes to wireless communications, but the USB is quite insecure. The nest devices know much of a user’s private information like if they are home or not, their postal code, usernames and passwords. Since it knows this type of information, this vulnerability could be very dangerous if the right hacker gains access to it. The malicious software injected into the nest thermostat can also be used to gain access to other devices on the network which could be done using an ARP(Address Resolution Protocol) tool (Tilley, 2015).
The Nest company is trying to become the biggest name in home connected devices. The company’s founder says that they have a team in place to test for vulnerabilities and that they do extensive testing on all of their devices. I am sure that after this vulnerability was found out that the Nest company has pushed an update of some sort to patch the device. The Nest company has also stated that if a hacker has physical access to a device no matter what device it is, that they can potentially hack the device. To prevent becoming a victim of this type of attack I think the user should always be aware of who they let inside their home. Since physical access to the device is necessary to exploit this vulnerability, like some other devices I have researched, being aware of who is in your home is a big thing. The user should always make sure that all of their IOT devices are up to date with the latest security patches. The reason that the Nest thermostat allows a person to connect with a flash USB and load software onto it is so the firmware can be manually updated. I guess the Nest company did not see this as a great threat.
To conclude I would like to state that I like the Google Nest Company. I think that they are on a solid path to becoming the most used IOT home devices. I like how all of their devices work together on the same network and I think that the company itself takes great pride in their security practices. This hack may possibly be an example of something that could be inevitable in the process of designing an IOT device. Maybe Nest is right that any device can be hacked if a malicious user has physical access to it. I personally do not have a smart thermostat because I only change the temperature on mine about twice a year, but I love the idea of having your thermostat become smart so that if you are away on vacation or something like that you can control the temperature of your home from far away.
Google. (2020, April 9). Nest Thermostat Specifications. Retrieved from store.google.com: https://store.google.com/us/product/nest_learning_thermostat_3rd_gen_specs
Tilley, A. (2015, March 6). How Hackers Could Use A Nest Thermostat As An Entry Point Into Your Home. Retrieved from forbes.com: https://www.forbes.com/sites/aarontilley/2015/03/06/nest-thermostat-hack-home-network/#788408d39864
Wagenseil, P. (2014, August 7). Nest Smart Thermostat Can Be Hacked to Spy on Owners. Retrieved from tomsguide.com: https://www.tomsguide.com/us/nest-spying-hack,news-19290.html
Wikipedia. (2020, April 9). Nest Learning Thermostat. Retrieved from wikipedia.org: https://en.wikipedia.org/wiki/Nest_Learning_Thermostat#Hardware